1. Field of the Invention
The present invention generally relates to a message transmission systems and, more particularly, to a system for secure generation and transmission of cryptographic keys from a generating station to one or more using stations where the use of the cryptographic key at each using station is controlled via a control value established by the generating station. Under the protocol according to the invention, a generating station may also be a using station.
2. Description of the Prior Art
Cryptography is the only known practical means for protecting information transmitted through a large communications network, be it telephone line, microwave, or satellite. A detailed discussion of how cryptography can be used to achieve communications security is provided in the book by Carl H. Meyer and Stephen M. Matyas entitled Cryptography: A New Dimension in Computer Data Security, John Wiley & Sons (1982). Cryptography can also be used to achieve file security, and a protocol is developed in the Meyer and Matyas book for the encryption of data stored in removable media. Other subjects discussed in the book are enhanced authentication protocols, including personal verification, message authentication, and digital signatures. These subjects are of particular interest to those concerned with electronic funds transfer and credit card applications within the banking and finance industry, or any other area where the originator, timeliness, contents, and intended receiver of a message must be verified.
In the prior art, several references respectively illustrate protocols for distributing cryptographic keys among cryptographically communicating nodes. Further, they discuss authentication as a process independent of the establishment of session keys. These references include U.S. Pat. No. 4,227,253 to Ehrsam et al. entitled "Cryptographic Communication Security for Multiple Domain Networks" issued Oct. 7, 1980, and U.S. Pat. No. 4,218,738 to Matyas et al. entitled "Method for Authenticating the Identity of a User of an Information System" issued Aug. 19, 1980. The Matyas et al. patent involves a node sending a pattern to a terminal requiring the terminal to modify the pattern and remit its modification back to the host to permit a comparison match.
Ehrsam et al., U.S. Pat. No. 4,227,253, describe a communication security system providing for the establishment of a session key and the concept of cross-domain keys. The Ehrsam et al. patent typifies a mechanism, i.e., the use of cross-domain keys, used for exchanging session key information between nodes on the one hand and protecting the secrecy of the node master keys on the other hand. More specifically, Ehrsam et al. descibe a cryptographic facility at a host computer which, among other things, has a master key KM0 with first and second variants of the master key, denoted KM1 and KM2, and cryptographic operations in support of cryptographic applications and key management, denoted ECPH, DCPH, RFMK, and RTMK. Variants of the master key are obtained by inverting designated bits in the master key to produce different keys, which is just equivalent to Exclusive-ORing predetermined mask values with the master key to produce the variant master keys. The neumonics ECPH, DCPH, RFMK, and RTMK represent the cryptographic operations for Encipher Data, Decipher Data, Reencipher From Master Key, and Reencipher To Master Key. A precise definition of these cryptographic operations is unimportant to the present disclosure; however, the method is such that keys encrypted under KM0 can be used beneficially with the ECPH and DCPH functions, keys encrypted under KM1 can be used with the RFMK function, and keys encrypted under KM2 can be used with the RTMK function, but not vice versa. If V0, V1 and V2 denote the mask values which when Exclusive-ORed with KM produce KM0, KM1 and KM2, respectively, then there is an implicit control by the mask values of which encryptographic keys may be beneficially used by which of these cryptographic functions. Although Ehrsam et al. uses variants to control the use of cryptographic keys, by coupling the variants to the cryptographic operations, there is a one-to-one equivalence between the cryptographic operations and the prescribed variants of the key parameters allowed with each cryptographic operation. The Ehrsam et al. architecture does not allow different combinations of variants of keys to be used with each cryptographic function. Thus, for example, if ECPH and DCPH are supported and it is desired to implement data keys with properties of Encipher Only, Decipher Only, and Encipher/Decipher using variants V1, V2 and V3, there is no way to assign these variants to the ECPH and DCPH operations to implement the desired data key properties; i.e., there are not enough variants defined for these operations to accomplish the purpose. In effect, to design such a system requires an ECPH1 which operates with V1, an ECPH2 which operates with V3, a DCPH1 which operates with V2, and a DCPH2 which operates with V4. Therefore, the use of variants to control the use of a cryptographic key in a sophisticated architecture would require the function set to be expanded, and this expansion in the function set has disadvantages the most important of which are the increase of system complexity and cost.
U.S. Pat. No. 4,386,233 to Smid et al. entitled "Cryptographic Key Notarization Methods and Apparatus" issued May 31, 1983, describes a technique of notarizing cryptographic keys for a cryptographic function by encrypting the keys with the cryptographic function using a notarizing cryptographic key derived from identifier designations associated with the encryptor and intended decryptor, respectively, and an interchange key which is accessible only to authorized users of the cryptographic function. In other words, Smid et al. control who can use a key but not how the key can be used. Smid et al.'s notarizing key is derived by concatenating the binary equivalent of the encryptor's identifier designation with the binary equivalent of the decryptor's identifier designation as an ordered pair and logically combining in an Exclusive-OR operation the concatenated result with the interchange key.
U.S. Pat. No. 4,503,287 to Morris et al. entitled "Two-Tiered Communication Security Employing Asymmetric Session Keys" issued Mar. 5, 1985, describes a technique for ensuring communications security between a host computer and another remote computer or terminal by means of a two-tiered cryptographic communications security device and procedure. The Morris et al. technique employs two session keys, one which is encrypted under a master key and transmitted from a remote facility to the host where it is stored, and one which is generated at the host, encrypted under the master key and transmitted to the remote facility where it is used as a session decryptor key.
Thus, while the prior art provides various protocols for distributing cryptographic keys among cryptographically communicating nodes and even provides a way of controlling who may use a cryptographic key at a particular node, there has not been a practical and effective solution to the problem of how to control the use of a cryptographic key at a node, particularly in a sophisticated system. Frequently, different types of keys must be distributed to certain system nodes.